The PCI DSS is a security standard that embodies a number of underlying principles. What are these principles?
As with all PCI compliance questions, the answers usually lie in understanding the intent behind the requirements of the standard. Although there are many individual requirements detailed within in the PCI DSS, collectively they are based upon a number of sound security principles. Here are eight of them.
- Least privilege. Did you ever delete something by accident? In any secure environment, this principle is as much about restricting access as it is about saving you from yourself. All administrative privileges should be used only for the task in hand, and then relinquished once the task is complete.
- Separation of duties. Why is it a bad idea to have a single role with access to everything? The same reason it is a bad idea to put all your eggs in one basket. It may seem convenient, but such systems are error prone and open to fraud and failure. It also violates principles 1, 5 and 8.
- Simplicity, or “complexity is the enemy of security”. The malicious exploitation of technical vulnerabilities is possible because of poor technical configuration, implementation or just plain oversight. Unnecessary complexity provides extra opportunity for failure. Keep it simple.
- Fail safe, or “default deny”. Implicit access is a poor approach here. Example: If you are putting together a list of users who do not need access to your card data environment, then you need to think again. Whether it is access controls, firewall rules, or any other security restriction; enforce the basic principle that nobody gets any access unless explicitly permitted.
- Authorisation, Authentication, Access Control. All secure systems need to support full accountability for their use. This means granting access (authorisation), confirming the identity of the requesting party (authentication) and controlling what that party can do (access control). Just as important is your ability to revoke permission – especially when things go wrong.
- Open Standards. This is especially true when it comes to the use of cryptography to protect your cardholder data. Designing your own proprietary encryption is usually a poor idea. It is unlikely that you will have the time or expertise to prove that your design really can keep a secret and is not simply based upon obscuring data.
- Re-use. Why re-invent what is already been done, and done well? Just like the example of cryptography above, it is usually best to build on the work of others, not to start from scratch. Existing policies and procedures are also a candidate here – chances are you already have material that could easily be adapted.
- Defence in depth. Relying on a single line of defence seems like an obvious strategic oversight. To understand this principle, try to recall how many times you have heard about a data breach occurring via a single, unsecured point of access. Also, have another look at these eight principles, and see how readily they overlap.
This article was originally written by Ambersail for the Worldpay “Safer Business” newsletter published earlier this year.